Researchers at L2BEAT have flagged a suspicious governance proposal submitted to the Tornado Cash DAO.
It raised eyebrows for pointing to an unverified contract, something “very unusual for Tornado Cash DAO proposals… [and] a clear indication that the proposal should be treated as malicious.”
Adding to suspicions, the address of the proposer was funded by Railgun (a competing crypto privacy protocol) just four days ago.
Sergey Shemyakov, a ZK researcher, took to X to “summon” others to examine the proposal, which “shows pretty convoluted logic.”
1/ A suspicious DAO proposal on Tornado Cash was created ~8hrs ago. Summoning @pcaversaccio (and everyone else curious) for an independent opinion!
— sergeyshemyakov, PhD
Details in the thread belowpic.twitter.com/akCpfW4f6P
(@sergeyshemyakov) June 25, 2026
Read more: MEV bot JaredFromSubway.eth loses $7.5M to approvals honeypot
The proposal purports to define a new fee structure and “establish a brand-new dynamic deflationary economic model.”
However, Security Alliance researcher Pascal Caversaccio alleged the “malicious” intentions behind the proposal, stating that the real intention is to switch key addresses with spoofed lookalikes.
The current DAO governance address, which holds $23 million of TORN tokens, would be replaced by an attacker-controlled address which shares the same initial 15 characters.
A similar switch would be made on the staking governance proxy contract.
Caversaccio also notes that the spoofed governance address would be able to “zero out any relayer’s balance at will.” He called the proposal a “governance attack on Tornado Cash” and urged TORN holders to reject it.
Read more: Aztec Network hit by second hack this week as escapeHatch drained of $2M
All TORN up
Today’s governance attack is the latest in a long series of governance, legal and security troubles for Tornado Cash.
Tornado Cash last faced a governance attack in 2023 when a malicious proposal passed, granting an attacker a majority share of votes.
Read more: DeFi has rough weekend with Aave and Tornado Cash chaos
After selling around $800,000 of TORN tokens for ETH, the attacker created a new proposal to set its voting power back to zero. Not before washing the proceeds through none other than Tornado Cash itself, though.
The following year, multiple Tornado Cash IPFS front ends were injected with malicious javascript to leak sensitive deposit information to an attacker-controlled server. Even a hacker allegedly fell victim to the trap.
Read more: Someone stole the stolen money from ZKLend
In the legal sphere, Tornado Cash was sanctioned by the US Treasury in 2022, though the decision was eventually reversed last year.
Despite no longer being banned, Tornado Cash developer Roman Storm was prosecuted for conspiracy to operate an unlicensed money-transmitting business last year, following a rocky trial.
Storm’s fate continues to hang in the balance. In April, a motion for acquittal was left unresolved and prosecutors are keen to retry two counts on which the jury remained deadlocked at the end of his trial.
Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
The post Tornado Cash DAO faces ‘malicious’ governance attack, researchers warn appeared first on Protos.
